Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:35 AM
Connect Directly

Bucks for Bugs

There's money to be made, legitimate and otherwise, for those who find software vulnerabilities

The going rate for a good security bug can help an undergrad pay for tuition or a cash-strapped researcher put a down payment on a car. And that's just if he or she sells it to a legitimate security software firm, which pays anywhere from $2,000 to $10,000 a bug.

The black market can be even more lucrative. A bad guy hacker can get $20,000 to $30,000 for a "weaponized" exploit, says David Maynor, senior researcher for SecureWorks. (See Getting Buggy with the MOBB.) "This is something that is pretty much fire-and-forget and wouldn't require much technical expertise to run," Maynor says.

What the two markets have in common is potential impact: The more targets a bug can hit if it's converted into an exploit and let loose in the wild, the more it pays.

Among the security firms who do business with bug writers are 3Com/TippingPoint's Zero Day Initiative, iDefense, and Digital Armaments. "They typically pay between $2,000 and $10,000 for these so they are able to better protect their clients from these exploits and work with vendors to help them develop protections," Maynor says.

It's a controversial practice. IDefense has been criticized for reselling bugs it buys, as well as for its promotions. It recently held a contest that paid $10,000 for remote Windows vulnerabilities, for example.

3Com's year-old Zero Day Initiative has about 400 registered researchers from whom the firm has purchased over 100 bugs, according to Terri Forslof, security response manager for 3Com's Zero Day Initiative program. And the program has yielded results, she says. "We've released 25 public advisories and have a slew in the queue waiting for the vendors to correct them," says Forslof, who wouldn't disclose what 3Com pays the bug-writers.

No one knows for sure just how much you can make on the black market, but tens of thousands of dollars for a browser bug isn't unheard of. The infamous Windows MetaFile vulnerability used in malware last year was reportedly purchased by bad guys for $4,000.

"There are small communities of researchers doing this and managing to sell to crime syndicates," says one researcher who requested anonymity.

Most vendors who buy the bugs say they are careful about who they deal with. ImmunitySec, which purchases vulnerability bugs for its Canvass tool, tries to work mostly with researchers it knows, says David Aitel, ImmunitySec's CTO. "When we're buying a bug, we typically know the people we're dealing with. We're more likely to buy from 'friends and family'," Aitel says.

There's a lengthy contract negotiation phase involved in a bug buy, too, Aitel says, and ImmunitySec could pay the researcher $2,500 and then spend another $2,500 in legal negotiation fees.

And ImmunitySec doesn't fork out the big bucks like iDefense and others. "We're not going to pay tens of thousands of dollars for the perfect bug," he says. "We get approached all the time. Sometimes we get burnt, sometimes not. If they are dishonest, their price usually goes up" which kills the deal.

But the practice of bugs for money has its ethical dilemma, too. Does offering money for bugs basically create a monster, or does it actually tame potential monsters out there in the wild?

Peter Lindstrom, research director for Spire Security, says he doesn't necessarily buy the altruistic claims of researchers who sell their handiwork to security vendors. "When there's money interests involved, you can no longer claim altruistic motives," he says. "I get tired of folks saying this will reduce risk. Clearly, all this stuff demonstrated in the real world increases our risk -- the typical buffer overflow or cross-site scripting bug isn't going to help anything."

Lindstrom says he's torn, though, on whether having this somewhat formalized process for sharing vulnerabilities is better than nothing. "Offering money creates a market. But [the legitimate buyers] attract these folks into a more open, structured process, which is better" than the unchecked black market, he says, and it creates a nice paper trail, too. But he also worries this more formal market inadvertently boosts a bug's black market potential as well.

Not all researchers sell their bugs, however, and not all security firms will buy them. EEye Digital Security, for instance, hires its own bug hunters and doesn't buy or sell what it finds. "Organizations that do are adding a level of legitimacy to the underground market that has always existed," says Steve Manzuik, research manager for eEye. EEye takes its vulnerability findings to vendors first, such as Microsoft, he says.

There's no way to stop a money-hungry bug writer from starting a bidding war between the good guys and bad guys, either. "Whoever pays more gets the goods. It is naive to assume that the good guys will always, or even often, outbid the criminally intended bidders," says Ivan Arce, CTO of Core Security, which finds vulnerabilities in software but doesn't sell them.

Bug creators, meanwhile, sometimes score "real job" opportunities when they peddle their vulnerability code with security firms. Aitel says the bulk of ImmunitySec's research is done in-house, so if a bug-writer's work is good enough for the company to buy, he or she is probably qualified for hiring and could be considered for a job.

Whether it's more cost-effective to work as a freelance bug writer or get a day job depends. A vulnerability researcher costs about $80,000 to $100,000 per year to a security company, Arce says, and you'd have to generate ten big-time bugs worth about $10,000 apiece to match a legit salary. "You would need to be really good at it and dedicate full time to the task."

Still, there's a healthy market for the freelancers. "Clearly, the model works because the supply of bugs is generated not by professional bug finders, but by amateurs or hobbyists that are either unemployed or perform other duties for their official employer," Arce says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • 3Com Corp. (Nasdaq: COMS)
  • Core Security Technologies
  • SecureWorks Inc.
  • Spire Security LLC Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Virginia a Hot Spot For Cybersecurity Jobs
    Jai Vijayan, Contributing Writer,  10/9/2019
    How to Think Like a Hacker
    Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
    7 SMB Security Tips That Will Keep Your Company Safe
    Steve Zurier, Contributing Writer,  10/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-16
    A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO.
    PUBLISHED: 2019-10-16
    Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input...
    PUBLISHED: 2019-10-16
    The broken-link-checker plugin through 1.11.8 for WordPress (aka Broken Link Checker) is susceptible to Reflected XSS due to improper encoding and insertion of an HTTP GET parameter into HTML. The filter function on the page listing all detected broken links can be exploited by providing an XSS payl...
    PUBLISHED: 2019-10-16
    The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message. This affects Font Color, Background Color, and the Disable Cookie text. A...
    PUBLISHED: 2019-10-16
    The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.